Add basic support for simulating PLT stubs and shared libraries #320
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bboston7
approved these changes
Feb 23, 2023
This: * Bumps the `elf-edit` submodule to bring in the changes from GaloisInc/elf-edit#34. * Updates `Data.Macaw.Memory.ElfLoader` to consolidate the symbol table logic with the corresponding functions from `elf-edit`. Fixes #277.
This extends `Data.Macaw.Symbolic.Testing` in `macaw-symbolic` to be able to handle binaries that depend on shared libraries. This is fully functional for the x86-64 and AArch32 symbolic backends, and I have added test cases to the respective repos demonstrating that it works. (The PowerPC backend is not yet supported. At a minimum, this is blocked on GaloisInc/elf-edit#35.) To implement this, I also needed to add some additional infrastructure to `macaw-base` (I put this infrastructure here as it doesn't depend on any Crucible-specific functionality): * `Data.Macaw.Memory.ElfLoader.DynamicDependencies`: a basic ELF dynamic loader that performs a breadth-first search over all `DT_NEEDED` entries that an ELF binary depends on (both directly and indirectly). * `Data.Macaw.Memory.ElfLoader.PLTStubs`: a collection of heuristics for detecting the addresses of PLT stubs in a dynamically linked binary. It is worth noting that shared libraries are rife with nuance and subtlety, and the way `macaw` models shared libraries is not 100% accurate. I have written a length `Note [Shared libraries]` in `Data.Macaw.Symbolic.Testing` to describe where corners had to be cut. Fixes #318.
RyanGlScott
added a commit
to GaloisInc/macaw-loader
that referenced
this pull request
Feb 23, 2023
This: * Bumps the `elf-edit` submodule to bring in the changes from GaloisInc/elf-edit#34, which adds `decodeHeaderDynsym`. * Bumps the `macaw` submodule to bring in the changes from GaloisInc/macaw#320, which changes the ELF loader to always load dynamic function symbols. (Bumping the `macaw` submodule also requires bumping the `crucible`, `llvm-pretty`, and `semmc` submodules to adapt to recent changes.) * Modifies the code for X86-64, AArch32, and PPC to always include dynamic function symbols. Fixes #12.
RyanGlScott
added a commit
to GaloisInc/macaw-loader
that referenced
this pull request
Feb 25, 2023
This: * Bumps the `elf-edit` submodule to bring in the changes from GaloisInc/elf-edit#34, which adds `decodeHeaderDynsym`. * Bumps the `macaw` submodule to bring in the changes from GaloisInc/macaw#320, which changes the ELF loader to always load dynamic function symbols. (Bumping the `macaw` submodule also requires bumping the `crucible`, `llvm-pretty`, and `semmc` submodules to adapt to recent changes.) * Modifies the code for X86-64, AArch32, and PPC to always include dynamic function symbols. Fixes #12.
RyanGlScott
added a commit
to RyanGlScott/pate
that referenced
this pull request
Nov 14, 2023
Previously, PATE had no PLT stub-finding heuristics for PPC32, which meant that PATE would crash whenever it tried to execute code that invokes a PLT stub. While it is difficult in general to predict what the layout of a `.plt` section will be on an arbitrary PPC32 binary, we can at least give PATE some plausible heuristics that were derived from the `target1-self` binary. Previously, the code in `Pate.Discovery.PLT` hard-coded heuristics that were specific to AArch32, so this patch needed to cargo-cult some code from GaloisInc/macaw#320 in order to appropriately generalize the code to other architectures.
danmatichuk
pushed a commit
to GaloisInc/pate
that referenced
this pull request
Nov 15, 2023
Previously, PATE had no PLT stub-finding heuristics for PPC32, which meant that PATE would crash whenever it tried to execute code that invokes a PLT stub. While it is difficult in general to predict what the layout of a `.plt` section will be on an arbitrary PPC32 binary, we can at least give PATE some plausible heuristics that were derived from the `target1-self` binary. Previously, the code in `Pate.Discovery.PLT` hard-coded heuristics that were specific to AArch32, so this patch needed to cargo-cult some code from GaloisInc/macaw#320 in order to appropriately generalize the code to other architectures.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This extends
Data.Macaw.Symbolic.Testinginmacaw-symbolicto be able to handle binaries that depend on shared libraries. This is fully functional for the x86-64 and AArch32 symbolic backends, and I have added test cases to the respective repos demonstrating that it works. (The PowerPC backend is not yet supported. At a minimum, this is blocked on GaloisInc/elf-edit#35.)To implement this, I also needed to add some additional infrastructure to
macaw-base(I put this infrastructure here as it doesn't depend on any Crucible-specific functionality):Data.Macaw.Memory.ElfLoader.DynamicDependencies: a basic ELF dynamic loader that performs a breadth-first search over allDT_NEEDEDentries that an ELF binary depends on (both directly and indirectly).Data.Macaw.Memory.ElfLoader.PLTStubs: a collection of heuristics for detecting the addresses of PLT stubs in a dynamically linked binary.It is worth noting that shared libraries are rife with nuance and subtlety, and the way
macawmodels shared libraries is not 100% accurate. I have written a lengthNote [Shared libraries]inData.Macaw.Symbolic.Testingto describe where corners had to be cut.Fixes #318.